{"modified": "2011-03-07T21:43:58", "id": "CVE-2006-5878", "edition": 1, "objectVersion": "1.2", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5878", "cvelist": ["CVE-2006-5878"], "references": ["http://trac.edgewall.org/wiki/ChangeLog", "http://trac.edgewall.org/ticket/4049", "http://www.vupen.com/english/advisories/2006/4422", "http://security.gentoo.org/glsa/glsa-200612-14.xml", "http://www.debian.org/security/2006/dsa-1209", "http://xforce.iss.net/xforce/xfdb/30146"], "bulletinFamily": "NVD", "cpe": ["cpe:/a:edgewall_software:trac:0.8.1", "cpe:/a:edgewall_software:trac:0.50.9", "cpe:/a:edgewall_software:trac:0.5.1", "cpe:/a:edgewall_software:trac:0.8.4", "cpe:/a:edgewall_software:trac:0.7.1", "cpe:/a:edgewall_software:trac:0.6.1", "cpe:/a:edgewall_software:trac:0.9.3", "cpe:/a:edgewall_software:trac:0.9.2", "cpe:/a:edgewall_software:trac:0.9.6", "cpe:/a:edgewall_software:trac:0.8.3", "cpe:/a:edgewall_software:trac:0.10", "cpe:/a:edgewall_software:trac:0.9.5", "cpe:/a:edgewall_software:trac:0.9.4", "cpe:/a:edgewall_software:trac:0.9", "cpe:/a:edgewall_software:trac:0.8.2", "cpe:/a:edgewall_software:trac:0.9.1", "cpe:/a:edgewall_software:trac:0.5.2", "cpe:/a:edgewall_software:trac:0.9b1", "cpe:/a:edgewall_software:trac:0.7", "cpe:/a:edgewall_software:trac:0.8", "cpe:/a:edgewall_software:trac:0.5", "cpe:/a:edgewall_software:trac:0.9b2", "cpe:/a:edgewall_software:trac:0.6"], "title": "CVE-2006-5878", "published": "2006-11-14T14:07:00", "viewCount": 0, "type": "cve", "lastseen": "2016-09-03T07:51:11", "description": "Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors.", "hash": "cdc89248f02a1aa1ac9d68d928ff77300d85cae4ce9476d524941b402665c3ff", "reporter": "NVD", "scanner": [], "assessment": {"system": "", "name": "", "href": ""}, "enchantments": {"vulnersScore": 6.8}}

{"result": {"nessus": [{"id": "GENTOO_GLSA-200612-14.NASL", "type": "nessus", "title": "GLSA-200612-14 : Trac: Cross-site request forgery", "description": "The remote host is affected by the vulnerability described in GLSA-200612-14 (Trac: Cross-site request forgery)\n\n Trac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests.\n Impact :\n\n An attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user.\n Workaround :\n\n There is no known workaround at this time.", "published": "2006-12-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=23866", "cvelist": ["CVE-2006-5878"], "lastseen": "2016-09-26T17:26:06"}], "openvas": [{"id": "OPENVAS:57582", "type": "openvas", "title": "Debian Security Advisory DSA 1209-2 (trac)", "description": "The remote host is missing an update to trac\nannounced via advisory DSA 1209-2.\n\nThe Trac update in DSA 1209 introduced a regression. This update corrects\nthis flaw. For completeness, the original advisory text below:\n\nIt was discovered that Trac, a wiki and issue tracking system for\nsoftware development projects, performs insufficient validation against\ncross-site request forgery, which might lead to an attacker being able\nto perform manipulation of a Trac site with the privileges of the\nattacked Trac user.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57582", "cvelist": ["CVE-2006-5878"], "lastseen": "2016-09-26T20:41:34"}, {"id": "OPENVAS:57953", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200612-14 (trac)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200612-14.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57953", "cvelist": ["CVE-2006-5878"], "lastseen": "2016-11-02T12:45:36"}, {"id": "OPENVAS:57580", "type": "openvas", "title": "Debian Security Advisory DSA 1209-1 (trac)", "description": "The remote host is missing an update to trac\nannounced via advisory DSA 1209-1.\n\nIt was discovered that Trac, a wiki and issue tracking system for\nsoftware development projects, performs insufficient validation against\ncross-site request forgery, which might lead to an attacker being able\nto perform manipulation of a Trac site with the privileges of the\nattacked Trac user.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57580", "cvelist": ["CVE-2006-5878"], "lastseen": "2016-09-26T20:41:40"}], "osvdb": [{"id": "OSVDB:30129", "type": "osvdb", "title": "Trac Unspecified CSRF", "description": "## Solution Description\nUpgrade to version 0.10.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor Specific News/Changelog Entry: http://trac.edgewall.org/ticket/4049\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1209)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200612-14.xml)\n[Secunia Advisory ID:22868](https://secuniaresearch.flexerasoftware.com/advisories/22868/)\n[Secunia Advisory ID:22789](https://secuniaresearch.flexerasoftware.com/advisories/22789/)\n[Secunia Advisory ID:23357](https://secuniaresearch.flexerasoftware.com/advisories/23357/)\n[CVE-2006-5848](https://vulners.com/cve/CVE-2006-5848)\n[CVE-2006-5878](https://vulners.com/cve/CVE-2006-5878)\n", "published": "2006-11-01T10:48:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:30129", "cvelist": ["CVE-2006-5848", "CVE-2006-5878"], "lastseen": "2017-04-28T13:20:26"}], "gentoo": [{"id": "GLSA-200612-14", "type": "gentoo", "title": "Trac: Cross-site request forgery", "description": "### Background\n\nTrac is a wiki and issue tracking system for software development projects. \n\n### Description\n\nTrac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests. \n\n### Impact\n\nAn attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Trac users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/trac-0.10.1\"", "published": "2006-12-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200612-14", "cvelist": ["CVE-2006-5848", "CVE-2006-5878"], "lastseen": "2016-09-06T19:47:01"}]}}